Google has warned “high profile” Gmail users working for the US Government that they are potentially being targeted by Chinese state-sponsored threat actors with a phishing attack.
Google’s Threat Analysis Group (TAG) warned “multiple” people that APT31 (also known as Judgment Panda and Zirconium) was after their sensitive information, and that the phishing attacks were successfully blocked in their email services.
"In February, we detected an APT31 phishing campaign targeting high profile Gmail users affiliated with the U.S. government," Google Threat Analysis Group's Director Shane Huntley noted.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
>> Click here to start the survey in a new window (opens in new tab) <<
Not linked to Ukraine
"Today, we sent those people who were targeted, government-backed attacker warnings. We don't have any evidence to suggest that this campaign was related to the current war in Ukraine."
Earlier this week, TAG also warned of Russian, Belarusian, and Chinese threat actors targeting Ukrainian and European government and military organization endpoints (opens in new tab) with “widespread” phishing and Distributed Denial of Service (DDoS) attacks.
"Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter," Huntley said in the report.
Huntley added that it’s hard to determine whether or not the attacks have anything to do with the situation in Ukraine.
> Chinese hackers are reportedly now deploying malware on targets in Russia (opens in new tab)
> Google shares more details on some of the biggest DDoS attacks ever recorded (opens in new tab)
> Chinese hackers cloned a Windows security flaw stolen from the NSA (opens in new tab)
Since 2012, Google has been sending out notifications to affected customers, whenever it spots attacks using infrastructure known to be linked to state-sponsored threat actors.
BleepingComputer reminds that Google TAG security engineer Ajax Bash announced the company sent out some 50,000 of these alerts last year. Of that number, almost a third (15,000) were linked to APT28, a threat actor that allegedly has strong ties to Russia’s General Staff Main Intelligence Directorate (GRU).
The last time APT31 made headlines, it was spotted targeting Russian-based organizations with phishing, after which it would distribute never-before-seen malware.
Daniil Koloskov, Senior Threat Analysis Specialist at Positive Technologies observed at the time, that the APT31 was particularly cunning in developing and deploying the malware. Not only did it employ various detection avoiding techniques, but it also self-destructed after accomplishing its goals, wiping all traces of the files and registry keys it created.
“In order to make the malicious library look like the original version, they named it MSVCR100.dll—the library with the exact same name is part of Visual C++ for Microsoft Visual Studio and is present on almost all computers. In addition, it contains as exports the names that can be found in the legitimate MSVCR100.dll,” said Koloskov.
- Here's our rundown of the best secure email providers (opens in new tab) right now
Via: BleepingComputer (opens in new tab)